On 3/11/22 09:37, Stanisław Findeisen via Mailman-users wrote:
Dear Experts
What is the best way to go about reconciling GNU Mailman3-made message modifications (like message footers or subject prefixes) with sender-made DKIM signatures? I am aware of the "DMARC mitigations" tab in the list settings, not bad, but it looks that "replace From: with list address" doesn't help (of course), whereas wrapping the message in an outer message often looks ugly. Is there a better way?...
BTW I would like to point out that broken DKIM signature can be a problem even with an easy DMARC policy; for example ProtonMail will display this flashy red warning: https://protonmail.com/support/knowledge-base/email-has-failed-its-domains-a... in its webmail. (I guess nothing can be done about it except "DMARC Mitigate unconditionally").
ProtonMail is broken - see https://www.rfc-editor.org/rfc/rfc6376.html#section-6.1
That said, BCP recommends removing the signatures that the MLM will break https://www.rfc-editor.org/rfc/rfc6377.html#section-5.7
Mailman implements this with the mailman.cfg setting
[mta]
remove_dkim_headers: yes
Also, your outgoing MTA should DKIM sign the mail on the way out. With that and the above setting, the outgoing message will have only your valid DKIM signature and no prior Authentication-Results:.
ARC <https://www.rfc-editor.org/rfc/rfc8617.html> is intended to address this while preserving prior authentication results and is supported by Mailman, but is not accepted by all receivers.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan